PatchSiren cyber security CVE debrief
CVE-2016-7969 Fedoraproject CVE debrief
CVE-2016-7969 is a high-severity availability issue in libass’s wrap_lines_smart function. According to the CVE record, versions before 0.13.4 can be driven into an out-of-bounds read tied to "0/3 line wrapping equalization," which can let a remote attacker cause a denial of service. The impact is limited to availability, but the attack requires no privileges and no user interaction, so exposed media or subtitle-processing paths should be updated promptly.
- Vendor
- Fedoraproject
- Product
- CVE-2016-7969
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2017-03-03
- Original CVE updated
- 2026-05-13
- Advisory published
- 2017-03-03
- Advisory updated
- 2026-05-13
Who should care
Operators and developers who ship or embed libass, especially subtitle renderers, media players, streaming services, desktop applications, and Linux distribution maintainers that package libass. Security teams should also check downstream packages in Fedora and openSUSE builds listed in the CVE record.
Technical summary
The NVD record classifies the issue as CWE-125 (out-of-bounds read). The vulnerable code is in libass’s ass_render.c, specifically wrap_lines_smart, and the affected upstream range is identified as libass before 0.13.4 (with CPE coverage up to 0.13.3). The CVSS vector is AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, reflecting a remotely triggerable denial-of-service condition without confidentiality or integrity impact.
Defensive priority
High for any environment that processes untrusted subtitles or media using libass, or that ships vulnerable distro packages. Because the issue is remotely reachable and needs no user interaction, patching should be prioritized over routine maintenance work.
Recommended defensive actions
- Upgrade libass to version 0.13.4 or later, or confirm that your distribution has backported the fix.
- Inventory applications, services, and packages that depend on libass, including embedded media and subtitle pipelines.
- Verify vendor advisories and package changelogs for Fedora, openSUSE, and other downstream builds to confirm the fix is present.
- Prioritize exposed services that accept untrusted media or subtitle content for remediation.
- After updating, validate that rendering paths no longer crash on malformed subtitle inputs and monitor for repeated availability failures.
Evidence notes
The CVE record and NVD detail page identify libass before 0.13.4 as vulnerable and cite an out-of-bounds read in wrap_lines_smart. The record also lists upstream patch/release references, distro advisories, and a primary CWE-125 classification. Affected CPEs in the source corpus include libass up to 0.13.3 and multiple downstream Fedora/openSUSE packages.
Official resources
-
CVE-2016-7969 CVE record
CVE.org
-
CVE-2016-7969 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Third Party Advisory
-
Mitigation or vendor reference
[email protected] - Mailing List, Patch, Third Party Advisory
-
Mitigation or vendor reference
[email protected] - Third Party Advisory, VDB Entry
-
Mitigation or vendor reference
[email protected] - Issue Tracking, Patch
-
Mitigation or vendor reference
[email protected] - Patch, Vendor Advisory
-
Mitigation or vendor reference
[email protected] - Patch, Release Notes, Third Party Advisory
- Source reference
The CVE record was published on 2017-03-03, and the source corpus includes supporting vendor/community references from 2016-10-05. The 2026-05-13 modified date reflects record maintenance in NVD, not the original vulnerability date.